Full file at
Test Item File Questions
Chapter 2
Planning
2-1This book focuses on ______.
a.offense
b.defense
c.offense and defense about equally
d.None of the above.
Answer: B
Page: 51-52
Question: 1
Difficulty: Easy
2-2Closing all routes of attack into an organization’s system is called ______.
a.defense in depth
b.comprehensive security
c.total security
d.access control
Answer: B
Page: 52
Question: 2b
Difficulty: Easy
2-3A ______occur(s) when a single security element failure defeats the overall security of a system.
a.spot failure
b.weakest link failure
c.defense in depth departure
d.critical failure
Answer: B
Page: 53
Question: 2c
Difficulty: Difficult
2-4Which of the following is a formal process?
a.Annual corporate planning.
b.Planning and developing individual countermeasures.
c.Both A and B.
d.Neither A nor B.
Answer: C
Page: 54
Question: 3a
Difficulty: Easy
2-5A planned series of actions in a corporation is a(n) _____.
a.strategy
b.sequence
c.process
d.anomaly
Answer: C
Page: 54
Question: 3a
Difficulty: Medium
2-6The growing number of compliance laws and regulations is driving firms to use formal governance frameworks to guide their security processes.
TRUE
FALSE
Answer: TRUE
Page: 55
Question: 3b
Difficulty: Easy
2-7Many compliance regimes require firms to adopt specific formal governance framework to drive security planning and operational management.
TRUE
FALSE
Answer: TRUE
Page: 55
Question: 3b
Difficulty: Medium
2-8Planning, protection, and response follow a fairly strict sequence from one stage to another.
TRUE
FALSE
Answer: FALSE
Page: 55-56
Question: 4b
Difficulty: Easy
2-9The stage of the plan-protect response cycle that consumes the most time is ______.
a.planning
b.protection
c.response
d.Each of the above consumes about the same amount of time.
Answer: B
Page: 56
Question: 4c
Difficulty: Easy
2-10_____ is the plan-based creation and operation of countermeasures.
a.Planning
b.Protection
c.Response
d.All of the above.
Answer: B
Page: 56
Question: 4d
Difficulty: Easy
2-11What is missing from the definition of response as “recovery”?
a.“according to plan” must be added to “recovery”.
b.The definition must refer to specific resources.
c.“Reasonable degree of” must begin the definition.
d.“and prosecution” must be added after “recovery”.
Answer: A
Page: 57
Question: 4e
Difficulty: Difficult
2-12Strong security can be an enabler, allowing a company to do things it could not do otherwise.
TRUE
FALSE
Answer: TRUE
Page: 57
Question: 5a
Difficulty: Easy
2-13The key to security being an enabler is _____.
a.getting it involved early within the project.
b.having strong corporate policies
c.extensive training
d.adequate spending on security
Answer: A
Page: 58
Question: 5b
Difficulty: Medium
2-14IT security people should maintain a negative view of users.
TRUE
FALSE
Answer: FALSE
Page: 59
Question: 5c
Difficulty: Easy
2-15It is a good idea to view the security function as a police force or military organization.
TRUE
FALSE
Answer: FALSE
Page: 59
Question: 5d
Difficulty: Easy
2-16The first step in developing an IT security plan is to ______.
a.determine needs
b.assess the current state of the company’s security
c.create comprehensive security
d.prioritize security projects
Answer: B
Page: 59
Question: 6a
Difficulty: Difficult
2-17Once a company’s resources are enumerated, the next step is to _____.
a.create a protection plan for each
b.assess the degree to which each is already protected
c.enumerate threats to each
d.classify them according to sensitivity
Answer: D
Page: 60
Question: 6c
Difficulty: Difficult
2-18A company should develop a remediation plan for EVERY security gap.
TRUE
FALSE
Answer: TRUE
Page: 60
Question: 6d
Difficulty: Easy
2-19A company should consider list of possible remediation plans as an investment portfolio.
TRUE
FALSE
Answer: TRUE
Page: 60
Question: 6e
Difficulty: Easy
2-20The factors that require a firm to change its security planning, protections, and response are called driving forces.
TRUE
FALSE
Answer: TRUE
Page: 61
Question: 7a
Difficulty: Easy
2-21Compliance laws and regulations ______.
a.create requirements to which security must respond
b.can be expensive for IT security
c.Both A and B
d.Neither A nor B
Answer: C
Page: 61
Question: 7b
Difficulty: Easy
2-22A _____ is a material deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement in the annual or interim financial statements will not be prevented or detected.
a.material control failure
b.material control deficiency
c.critical control deficiency
d.critical control failure
Answer: B
Page: 61
Question: 8a
Difficulty: Medium
2-23When companies studied where they stored private information, they found that much of this information was stored inside spreadsheets and word processing documents.
TRUE
FALSE
Answer: TRUE
Page: 63
Question: 9b
Difficulty: Easy
2-24______specifically addresses data protection requirements at financial institutions.
a.GLBA
b.HIPAA
c.The Revised SEC Act
d.Sarbanes-Oxley
Answer: A
Page: 63
Question: 9c
Difficulty: Difficult
2-25______specifically addresses data protection requirements at health care institutions.
a.GLBA
b.HIPAA
c.Sarbanes-Oxley
d.The SEC Act
Answer: B
Page: 63
Question: 9d
Difficulty: Medium
2-26Data breach notification laws typically ______.
a.require companies to notify affected people if sensitive personally identifiable information is stolen or even lost
b.have caused companies to think more about security
c.Both A and B
d.Neither A nor B
Answer: C
Page: 63
Question: 10a
Difficulty: Medium
2-27The FTC can act against companies that fail to take reasonable precautions to protect privacy information.
TRUE
FALSE
Answer: TRUE
Page: 64
Question: 11a
Difficulty: Easy
2-28The FTC can _____.
a.impose fines
b.shut down companies that violate privacy laws repeatedly
c.Both A and B
d.Neither A nor B
Answer: A
Page: 64
Question: 11b
Difficulty: Medium
2-29Which companies does PCI-DSS affect?
a.E-commerce firms.
b.Medical firms.
c.Government organizations.
d.Companies that accept credit card payments.
Answer: D
Page: 64
Question: 13
Difficulty: Easy
2-30What type of organization is subject to FISMA?
a.E-commerce firms.
b.Medical firms.
c.Government organizations.
d.Companies that accept credit card payments.
Answer: C
Page: 64
Question: 14a
Difficulty: Easy
2-31In FISMA, ______is done internally by the organization.
a.certification
b.accreditation
c.Both A and B
d.Neither A nor B
Answer: C
Page: 64-65
Question: 14b
Difficulty: Medium
2-32The manager of the security department often is called ______.
a.the chief security officer (CSO)
b.the chief information security officer (CISO)
c.Both A and B
d.Neither A nor B
Answer: C
Page: 65
Question: 15a
Difficulty: Easy
2-33Placing security within IT ______.
a.creates independence
b.is likely to give security stronger backing from the IT department
c.Both A and B
d.Neither A nor B
Answer: B
Page: 65
Question: 16a
Difficulty: Medium
2-34Independence is best provided for IT security by placing it within the IT department.
TRUE
FALSE
Answer: FALSE
Page: 65
Question: 16a
Difficulty: Easy
2-35Most IT security analysts recommend placing IT security functions within the IT department.
TRUE
FALSE
Answer: FALSE
Page: 67
Question: 16c
Difficulty: Easy
2-36In order to demonstrate support for security, top management must ______.
a.ensure that security has an adequate budget
b.support security when there are conflicts between the needs of security and the needs of other business functions
c.follow security procedures themselves
d.All of the above.
Answer: D
Page: 67-68
Question: 17b
Difficulty: Medium
2-37______examines organizational units for efficiency, effectiveness, and adequate controls.
a.Internal auditing
b.Financial auditing
c.IT auditing
d.None of the above.
Answer: A
Page: 68
Question: 18b
Difficulty: Medium
2-38______examines financial processes for efficiency, effectiveness, and adequate controls.
a.Internal auditing
b.Financial auditing
c.IT auditing
d.None of the above.
Answer: B
Page: 68
Question: 18b
Difficulty: Easy
2-39______examines IT processes for efficiency, effectiveness, and adequate controls.
a.Internal auditing
b.Financial auditing
c.IT auditing
d.None of the above.
Answer: C
Page: 68
Question: 18b
Difficulty: Easy
2-40Placing IT auditing in an existing auditing department would give independence from IT security.
TRUE
FALSE
Answer: TRUE
Page: 68
Question: 18c
Difficulty: Easy
2-41______entails investigating the IT security of external companies and the implications of close IT partnerships before implementing interconnectivity.
a.Auditing
b.Due diligence
c.Peer-to-peer security
d.Vulnerability testing
Answer: B
Page: 69
Question: 18h
Difficulty: Easy
2-42To outsource some security functions, a firm can use an MISP.
TRUE
FALSE
Answer: FALSE
Page: 70
Question: 19a
Difficulty: Medium
2-43A benefit of using MSSPs is that they provide ______.
a.cost savings
b.independence
c.Both A and B
d.Neither A nor B
Answer: C
Page: 70-71
Question: 19b
Difficulty: Medium
2-44What security functions typically are outsourced?
a.Intrusion detection.
b.Vulnerability testing.
c.Both A and B
d.Neither A nor B
Answer: C
Page: 71
Question: 19c
Difficulty: Medium
2-45What security functions typically are outsourced?
a.Policy.
b.Vulnerability testing.
c.Both A and B
d.Neither A nor B
Answer: B
Page: 71
Question: 19c
Difficulty: Medium
2-46What security function(s) usually is(are)not outsourced?
a.Planning.
b.Intrusion detection.
c.Vulnerability testing.
d.All of the above.
Answer: A
Page: 71
Question: 19e
Difficulty: Medium
2-47Vulnerability testing typically isnot outsourced.
TRUE
FALSE
Answer: FALSE
Page: 71
Question: 19e
Difficulty: Medium
2-48According to the author, information assurance is a good name for IT security.
TRUE
FALSE
Answer: FALSE
Page: 72
Question: 20a
Difficulty: Easy
2-49The goal of IT security is risk elimination.
TRUE
FALSE
Answer: FALSE
Page: 72
Question: 20b
Difficulty: Medium
2-50The goal of IT security is reasonablerisk reduction.
TRUE
FALSE
Answer: TRUE
Page: 72
Question: 20b
Difficulty: Medium
2-51Security tends to impede functionality.
TRUE
FALSE
Answer: TRUE
Page: 72
Question: 20c
Difficulty: Easy
2-52In benefits, costs and benefits are expressed on a per-year basis.
TRUE
FALSE
Answer: TRUE
Page: 73
Question: 21a
Difficulty: Easy
2-53SLE times APO gives the _____.
a.expected per-event loss
b.expected annual loss
c.expected life cycle loss
d.expected per-event benefit
Answer: B
Page: 73
Question: 21b
Difficulty: Difficult
2-54When risk analysis deals with costs and benefits that vary by year, the computations should use _____.
a.NPV
b.IRR
c.Either A or B
d.Neither A nor B
Answer: C
Page: 74
Question: 23a
Difficulty: Medium
2-55Which of the following gives the best estimate of the complete cost of a compromise?
a.ALE
b.ARO
c.TCI
d.Life cycle cost
Answer: C
Page: 75-76
Question: 23b
Difficulty: Medium
2-56The worst problem with classic risk analysis is that ______.
a.protections often protect multiple resources
b.resources often are protected by multiple resources
c.We cannot estimate the annualized rate of occurrence
d.Costs and benefits are not the same each year.
Answer: C
Page: 76
Question: 23d
Difficulty: Medium
2-57The book recommends hard-headed thinking about security ROI analysis.
TRUE
FALSE
Answer: FALSE
Page: 76-77
Question: 23e
Difficulty: Easy
2-58Which of the following is a way of responding to risk with active countermeasures?
a.Risk reduction.
b.Risk acceptance.
c.Risk avoidance.
d.All of the above.
Answer: A
Page: 78
Question: 24a
Difficulty: Easy
2-59______means responding to risk by doing nothing.
a.Risk reduction
b.Risk acceptance
c.Risk avoidance
d.Risk transference
e.None of the above
Answer: B
Page: 78
Question: 24b
Difficulty: Easy
2-60______means responding to risk by taking out insurance.
a.Risk reduction.
b.Risk acceptance.
c.Risk avoidance.
d.Risk transference.
e.None of the above.
Answer: D
Page: 78
Question: 24c
Difficulty: Easy
2-61______means responding to risk by not taking a risky action.
a.Risk reduction.
b.Risk acceptance.
c.Risk avoidance.
d.Risk transference.
e.None of the above.
Answer: C
Page: 78
Question: 24e
Difficulty: Easy
2-62Responding to risk through risk avoidance is likely to be acceptable to other units of the firm.
TRUE
FALSE
Answer: FALSE
Page: 78
Question: 24f
Difficulty: Medium
2-63A technical security architecture includes _____.
a.all of a firm’s countermeasures
b.how countermeasures are organized
c.Both A and B
d.Neither A nor B
Answer: C
Page: 79
Question: 25a
Difficulty: Easy
2-64A technical security architecture should be created _____.
a.annually
b.before a firm creates individual countermeasures
c.before a firm creates a specific countermeasure
d.after each major compromise
Answer: B
Page: 79
Question: 25c
Difficulty: Medium
2-65Companies should replace their legacy security technologies immediately.
TRUE
FALSE
Answer: FALSE
Page: 79
Question: 25d
Difficulty: Medium
2-66Using both a firewall and host hardening to protect a host is _____.
a.defense in depth
b.risk acceptance
c.an anti-weakest link strategy
d.adding berms
Answer: A
Page: 80-81
Question: 26a
Difficulty: Easy
2-67______requires multiple countermeasures to be defeated for an attack to succeed.
a.Defense in depth
b.Weakest link analysis
c.Both A and B
d.Neither A nor B
Answer: A
Page: 81
Question: 26b
Difficulty: Easy
2-68______is a single countermeasure composed of multiple interdependent components in series that require all components to succeed if the countermeasure is to succeed.
a.Defense in depth
b.Weakest link
c.Both A and B
d.Neither A nor B
Answer: B
Page: 81
Question: 26b
Difficulty: Easy
2-69Central security consoles _____.
a.are dangerous
b.allow policies to be applied consistently
c.Both A and B
d.Neither A nor B
Answer: C
Page: 81
Question: 26d
Difficulty: Easy
2-70Security professionals should minimize burdens on functional departments.
TRUE
FALSE
Answer: TRUE
Page: 81
Question: 26e
Difficulty: Easy
2-71Having realistic goals for reducing vulnerabilities _____.
a.is giving in to the problem
b.focus on the most critical threats
c.is a cost-saving method
d.is risk avoidance
Answer: B
Page: 82
Question: 26f
Difficulty: Medium
2-72Border management _____.
a.is no longer important because there are so many ways to bypass borders
b.is close to a complete solution to access control
c.Both A and B
d.Neither A nor B
Answer: D
Page: 82
Question: 27b
Difficulty: Medium
2-73A(n) ______is a statement of what should be done under specific circumstances.
a.implementation control
b.policy
c.policy guidance document
d.procedure
Answer: B
Page: 83
Question: 28a
Difficulty: Easy
2-74Policies should specify the details of how protections are to be applied.
TRUE
FALSE
Answer: FALSE
Page: 83-84
Question: 28b
Difficulty: Easy
2-75Polices should specify implementation in detail.
TRUE
FALSE
Answer: FALSE
Page: 83
Question: 28c
Difficulty: Easy
2-76Which of the following is more detailed?
a.The corporate security policy.
b.A major security policy.
c.Both should be about equally detailed.
Answer: B
Page: 85
Question: 29a
Difficulty: Easy
2-77Which of the following is more detailed?
a.An acceptable use policy.
b.A major security policy.
c.Both are about equally detailed.
Answer: B
Page: 85
Question: 29b
Difficulty: Easy
2-78When you wish to create a specific firewall, you should create a security policy for that firewall specifically.
TRUE
FALSE
Answer: TRUE
Page: 85
Question: 29d
Difficulty: Medium
2-79Policies should be written by ______.
a.IT security
b.corporate teams involving people from multiple departments
c.a senior executive
d.An outside consultant, to maintain independence
Answer: B
Page: 86
Question: 30
Difficulty: Easy
2-80______are mandatory.
a.Standards
b.Guidelines
c.Both A and B
d.Neither A nor B
Answer: A
Page: 87-88
Question: 31a
Difficulty: Easy
2-81______are discretionary.
a.Standards
b.Guidelines
c.Both A and B
d.Neither A nor B
Answer: B
Page: 87-88
Question: 31a
Difficulty: Easy
2-82It is mandatory for decision makers to consider guidelines
TRUE
FALSE
Answer: TRUE
Page: 88
Question: 31b
Difficulty: Easy
2-83Guidelines are appropriate in simple and highly certain circumstances.
TRUE
FALSE
Answer: FALSE
Page: 88
Question: 31c
Difficulty: Easy
2-84______specify the low-level detailed actions that must be taken by specific employees.
a.Procedures
b.Processes
c.Both A and B
d.Neither A nor B
Answer: A
Page: 88-89
Question: 32a
Difficulty: Easy
2-85The steps required to issue a new employee a password should be specified in a ______.
a.procedure
b.processes
c.Both A and B
d.Neither A nor B
Answer: A
Page: 89
Question: 32b
Difficulty: Medium
2-86In manual procedures, the segregation of duties _____.
a.reduces risk
b.increases risk by creating blind spots
c.increases risk by reducing accountability
d.can only be done safely through information technology
Answer: A
Page: 88
Question: 32c
Difficulty: Easy
2-87When someone requests to take an action that is potentially dangerous, what protection should be put into place?
a.Limit the number of people that may request an approval.
b.Ensure that the approver is the same as the requestor.
c.Both A and B
d.Neither A nor B
Answer: A
Page: 88-89
Question: 32d
Difficulty: Medium
2-88Mandatory vacations should be enforced _____.
a.to improve employee diligence to threats
b.to expose employee schemes
c.to be in compliance with state and federal law
d.for ethical purposes
Answer: B
Page: 88
Question: 32e
Difficulty: Easy
2-89______are check lists of what should be done in a specific procedure.
a.baselines
b.guidelines
c.standards
d.procedures
Answer: A
Page: 88-89
Question: 32f
Difficulty: Medium
2-90______are descriptions of what the best firms in the industry are doing about security.
a.Best practices
b.Recommended practices
c.Both A and B
d.Neither A nor B
Answer: A
Page: 89
Question: 32g
Difficulty: Easy
2-91______are prescriptive statements about what companies should do and are put together by trade associations and government agencies.
a.Best practices
b.Recommended practices
c.Both A and B
d.Neither A nor B
Answer: B
Page: 89
Question: 32g
Difficulty: Easy
2-92The party that is ultimately held accountable for a resource or control is ______.
a.the owner
b.the trustee
c.the accredited security officer
d.the certified security officer
Answer: A
Page: 90
Question: 32h
Difficulty: Easy
2-93The owner can delegate _____ to the trustee.
a.the work of implementation of a resource or control
b.accountability for a resource or control
c.Both A and B
d.Neither A nor B
Answer: A
Page: 90
Question: 32i
Difficulty: Easy
2-94Different honest people can make different ethical decisions in a given situation.
TRUE
FALSE
Answer: TRUE
Page: 90
Question: 33a
Difficulty: Easy
2-95Companies create codes of ethics in order to make ethical decision making more predictable.
TRUE
FALSE
Answer: TRUE
Page: 90
Question: 33b
Difficulty: Easy
2-96In a firm, codes of ethics apply to ______.
a.part-time employees
b.senior managers
c.Both A and B
d.Neither A nor B
Answer: C
Page: 90
Question: 33d
Difficulty: Easy
2-97Senior officers often get an additional code of ethics.
TRUE
FALSE
Answer: TRUE
Page: 90
Question: 33e
Difficulty: Medium
2-98Which of the following is an example of a conflict of interest?
a.Preferential dealings with relatives.
b.Investing in competitors.
c.Competing with the company while still employed by the company.
d.All of the above.
Answer: D
Page: 90
Question: 33h
Difficulty: Medium
2-99______are monetary gifts to induce an employee to favor a supplier or other party.
a.Bribes
b.Kickbacks
c.Both A and B
d.Neither A nor B
Answer: A
Page: 90
Question: 33k
Difficulty: Easy
2-100______are payments made by a supplier to a corporate buyer when a purchase is made.
a.Bribes
b.Kickbacks
c.Both A and B
d.Neither A nor B
Answer: B
Page: 90
Question: 33k
Difficulty: Easy
2-101It is acceptable for an employee to reveal ______.
a.confidential information
b.private information
c.trade secrets
d.None of the above.
Answer: D
Page: 90
Question: 33l
Difficulty: Easy
2-102Exceptions should be forbidden.
TRUE
FALSE
Answer: FALSE
Page: 92
Question: 34a
Difficulty: Easy
2-103Which of the following is a good rule for handling exceptions?
a.Only some people should be allowed to request exceptions.
b.The requestor and approver should be different people
c.The exception should be documented
d.All of the above.
Answer: D
Page: 92
Question: 34c
Difficulty: Easy
2-104Policies drive _____.
a.implementation
b.oversight
c.Both A and B
d.Neither A nor B
Answer: C
Page: 93
Question: 35b
Difficulty: Easy
2-105Stinging employees _____.
a.raises awareness
b.raises resentment
c.Both A and B
d.Neither A nor B
Answer: C
Page: 95
Question: 35f
Difficulty: Easy
2-106Electronic employee monitoring is rare.
TRUE
FALSE
Answer: FALSE
Page: 95
Question: 35g
Difficulty: Easy
2-107Informing employees that monitoring will be done is a bad idea.